The Black Friday [1] quickly swept by, but the online shoppers are still actively stacking up goods for the upcoming holidays. Unfortunately, this means more opportunities for the hackers to exploit this increased online activity for their own malicious purposes. For instance, according to the recent statistics [2], 1 out of 10 Black Friday mobile apps have already been deemed malicious. We can only imagine how many fraudulent programs are currently targeting PCs. In fact, you don’t even have to look for examples very far. Microsoft malware research team has just reported about a brand new Cerber virus distribution campaign which uses powerful social engineering tricks to get this ransomware infection on the victims’ computers [3].

On the one hand, there is nothing innovative about the general Cerber deployment on the computers. The file-locking [4] parasite still spreads via malicious spam emails as an attached Word document which has to be downloaded and opened to activate the virus payload. What has changed, though, is the initial presentation of these emails. The scammers realize well enough that the modern Internet users are more security savvy and will not simply download random attachments received from unfamiliar senders. Thus, they have found a new weak spot that is guaranteed to provoke some sort of reaction. Now, the victims receive personalized emails that inform about urgent billing procedures on their MasterCard accounts which can only be stopped by going through the attached file. Unexpectedly put on the spot, people are more likely to take rash and inconsiderate decisions which is exactly what the scammers are waiting for. To ensure the infiltration is smooth and does not get interrupted by antivirus exposure, the scammers obfuscate the virus-carrying Word document by implementing a password (also provided in an email) which successfully hides the malicious macro code and helps the virus downloader slip pass the system protection. Then, the hackers are left with the final task — to trick the victim into enabling Word macros and downloading Cerber on the target device. This obstacle is managed easily as well. The infected document first opens in a legitimate-looking “Protected View” mode [5] accompanied by the instructions explaining how to access its full content. In reality, the victims are deceived into enabling macros and inadvertently allowing the virus to begin its dirty work on the computer.

We should emphasize that ransomware infections are especially destructive. They encode files with complex ciphers and obstruct the users from accessing any of the encrypted data. The only chance to recover the lost documents is by purchasing the decryption key from the hackers or, if you are lucky, decrypting files using free tools created by the virus experts. Unfortunately, Cerber virus is yet undecryptable. Thus, its prevention is the best option to protect your files. We strongly recommend making backup copies of your important files and, of course, staying away from suspicious emails!

About the author

Ugnius Kiguolis
- The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.